3 OPEN VULNERABILITY AND ASSESSMENT LANGUAGE (OVAL) VALIDATION PROGRAM TEST REQUIREMENTS (DRAFT) Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITL s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. This Interagency Report discusses ITL s research, guidance, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations. National Institute of Standards (Draft) 17 pages (Feb. 2010) Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose. ii

4 OPEN VULNERABILITY AND ASSESSMENT LANGUAGE (OVAL) VALIDATION PROGRAM TEST REQUIREMENTS (DRAFT) Acknowledgements The authors, John Banghart, Stephen Quinn, and Dave Waltermire of the National Institute of Standards and Technology (NIST), would like to thank the many people that reviewed and contributed to this document. In particular, the following individuals provided invaluable input and feedback: Jon Baker (MITRE) and Drew Buttner (MITRE). Abstract This report defines the requirements and associated test procedures necessary for products to achieve one or more Open Vulnerability and Assessment Language (OVAL) Validations. Validation is awarded based on testing a defined set of OVAL capabilities by independent laboratories that have been accredited for OVAL testing by the NIST National Voluntary Laboratory Accreditation Program (NVLAP). Audience The audiences for the OVAL Validation Program test requirements include laboratories that are accredited to conduct OVAL product testing for the program, vendors that are interested in receiving OVAL Validation for their products, and organizations seeking to deploy OVAL tools in their environments. The laboratories use the information in this report to guide their testing and to ensure that all necessary requirements are met by a product before recommending to NIST that the product be awarded the requested Validation. Vendors may use the information in this report to understand what features their products must have to be eligible to receive any of the OVAL Validations. Organizations use the information to gain insight into the criteria that products being considered for procurement must meet to be validated. Comments Comments on this report are welcome. Please direct them to iii

6 1. Introduction Open Vulnerability and Assessment Language (OVAL) is an information security community standard to promote open and publicly available security content, and to standardize the transfer of this information across security tools and services. The OVAL Language is an XML specification for exchanging technical details on how to check systems for security-related software flaws, configuration issues, and patches. The OVAL Language standardizes the three main steps of the assessment process: representing configuration information of systems for testing; analyzing the system for the presence of the specified machine state (vulnerability, configuration, patch state, etc.); and reporting the results of the assessment. In this way, OVAL enables open and publicly available security content and standardizes the transfer of this content across the entire spectrum of information security tools and services. OVAL is maintained by the MITRE Corporation. The capabilities and requirements described in this document have been derived from the OVAL Language Use Cases ( 1.1 Purpose and Scope of the Program The NIST OVAL Validation Program is designed to test the ability of products to use the features and functionality defined in the OVAL Language. An information technology (IT) product vendor can obtain one or more OVAL Validations for a product. These validations are based on the test requirements defined in this document, which cover four distinct but related validations based on product functionality. Note that OVAL Validation for a particular capability may not require all the tests that are defined. Table 1-2 provides a matrix indicating which tests are required for each capability. Under the OVAL Validation Program, independent laboratories are accredited by the NIST National Voluntary Laboratory Accreditation Program (NVLAP) ( to conduct OVAL Validation testing. Accreditation requirements are defined in NIST Handbook 150 and NIST Handbook Independent laboratories conduct the tests contained in this document on IT security products and deliver the results to NIST. Based on the independent laboratory test report, the OVAL Validation Program then validates the product under test. The validation certificates awarded to vendor products are publicly posted on the NIST OVAL Validated Products web page ( 1 OVAL Validation will focus on evaluating specific versions of vendor products based on the platforms they support. Validation certificates will be awarded on a platform-by-platform basis for the version of the product that was validated. 1.2 Supported Version of OVAL (OVAL 5.6) These test requirements were developed for OVAL Version 5.6. Specification: Schema Location: Superseded Compatibility Programs The OVAL Validation Program supersedes the OVAL Compatibility Program, run by the MITRE Corporation. NIST and MITRE have worked closely to streamline this transition. The OVAL Validation 1 The OVAL Validation Program does not provide physical certificates to the participating vendors.

7 Program described in this document is independent but complementary to the MITRE OVAL Adoption Program. 2 These two programs work together to promote the proper use of OVAL. 2. Conventions and Definitions 2.1 Document Conventions The key words MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL in this document are to be interpreted as described in Request for Comment (RFC) As necessary, the availability of an Internet connection, wireless or wired, during the evaluation of each test requirement will be indicated by the statements permitted or not permitted. When permitted is indicated, a product may make full use of any available network connection to access Internet-based resources. If not permitted is indicated, then no Internet network connectivity shall be provided during evaluation of the test procedure. Every effort has been made in the test requirements to avoid mandating that the capability to run in the presence or absence of Internet connectivity be supported by a product. Use of an Internet connection in some test procedures is disallowed to ensure that the functionality being evaluated in the tool exists directly within the tool and not as the result of utilizing an Internet-based capability. Access to a local area network (LAN) shall be allowed in all tests to support client-server based implementations. 2.2 Common Definitions The following definitions represent key terms used in this document. Comparison Utility: A utility provided to the accredited laboratory testers by NIST for use in the validation of product data sets as defined by certain testing requirements. Deprecation: The OVAL Language defines a process by which constructs may be deprecated and eventually removed from the language. Deprecated constructs are considered valid components of the OVAL Language until they are officially removed. 4 Derived Test Requirement/Test Requirement: A statement of requirement, needed information, and associated test procedures necessary to test a specific OVAL feature. Import: A process available to end-users by which an OVAL xml file can be loaded manually into the vendor product. During this process, the vendor process may optionally translate this file into a proprietary format. Machine-Readable: Tool output that is in a structured format, typically XML, which can be consumed by another program using consistent processing logic. Major Revision: Modifications to the OVAL Language that invalidate OVAL content written for previous versions of the current major version will result in a major version change More information about the OVAL Adoption Program is available here: For more information, please refer to Internet Engineering Task Force (IETF) RFC 2119, Key words for use in RFCs to Indicate Requirement Levels. S. Bradner. March 1997, For more information, please refer to the OVAL Language Deprecation policy:

8 Minor Revision: Modifications the OVAL Language that do not invalidate OVAL content written for previous versions of the current major version will result in a minor version change. All changes made in a minor version will be backward compatible with the previous minor versions within a given major version. 4 OVAL ID: An identifier for a specific OVAL Definition that conforms to the format for OVAL IDs. For more information please see the OVAL specification reference in Section 2.1. Product: A security software application, appliance, or security database that has one or more capabilities. Product Output: Information produced by a product. This includes the product user interface, humanreadable reports, and machine-readable reports. There are no constraints on the format. When this output is evaluated in a test procedure, either all or specific forms of output will be sampled as indicated by the test procedure. Reference Product: A product provided to accredited laboratory testers by NIST for use as a baseline for testing requirements. The product exhibits the behavior that is deemed to be correct. Capability: A specific function or functions of a product. The supported OVAL Capabilities are defined in Table 1-1. Target Platform: The target operating system or application on which a vendor product will be evaluated using a platform-specific validation lab test suite. These platform-specific test suites consist of specialized OVAL content used to perform the test procedures defined in this document. 5 For more information, please refer to the OVAL Language versioning methodology:

9 2.3 OVAL Validation Capabilities The OVAL Validation program is divided into five Capabilities, each targeting a different use case. This enables members of the OVAL Community to easily find the capability that best suits their need. Table 1-1 lists the capabilities. Table 1-1. OVAL Validation Capabilities Capability System Characteristics Producer Definition Repository Definition Evaluator Results Consumer Definition A product that generates a valid OVAL System Characteristics file based on the details of a system A repository of OVAL Definitions made available to the community (free or pay) A product that uses an OVAL Definition to guide evaluation and produces OVAL Results (full results) as output A product that accepts OVAL Results as input and either displays those results to the user, or uses the results to perform some action 2.4 Supported Target Platforms OVAL Validations are awarded on a per platform basis. Each platform is grouped with other like platforms and these platform groups are then associated with the set of OVAL Language schemas that must be supported for a given platform group. A product is expected to implement all applicable OVAL Language constructs defined in the schemas associated with the platform group that it supports. Additionally a product may be validated on any number of platforms. The table below lists the supported target platforms and the corresponding platform groups for which OVAL Validations are available. Table 1-2. OVAL Platform Groups OVAL Platform Groups Linux Red Hat EL 5 Mac OS Apple Mac OSX 10.6 Microsoft Windows Windows XP Window Vista Windows 7 Windows Server 2003 Windows Server 2008 Sun Solaris Solaris 10

11 3. Vendor Product Validation Testing Requirements The following guidelines must be followed by all vendors seeking validation of a product: 1. Vendors must provide the required vendor information detailed within the applicable derived test requirements. 2. Several OVAL tests require OVAL content as input. Therefore, vendor products may be required to import OVAL content. Vendors may update validated products, but the new version is not automatically validated. To validate an updated product, the vendor must send documentation to the laboratory that performed the existing validation explaining the validation-related changes to the product. This statement will be posted publicly by NIST with the product s validation and thus must not contain proprietary information. The vendor may provide the laboratory additional proprietary details that will not be sent to NIST and will not be publicly posted. The laboratory will review the changes, list the impacted testing requirements, and retest those requirements. The laboratory will then provide NIST a test report that summarizes how the product was changed and provides relevant test results. NIST will review the report and make a decision regarding whether to validate the updated product. If validation is granted, the newly validated product will have the same expiration date as the originally validated product since full testing of all requirements was not performed. Because of this, vendors may wish to fully retest an updated product if the expiration date is near and if a significant amount of retesting is required for the update. 4. Derived Test Requirements The following requirements have been derived from the OVAL Adoption Technical Use Cases and the Requirements and Recommendations for OVAL Adoption. The table below indicates which requirements shall be tested for each defined OVAL Capability. Table 1-4. OVAL Requirements per Validation Capability OVAL Requirement System Characteristics Producer Definition Repository Definition Evaluator Results Consumer R.1 X X X X R.2 X X X X R.3 X X X X R.4 X X X X R.5 X R.6 X X R.7 X R.8 X R.9 X R.10 X

12 4.1 Derived Test Requirements R.1: The product s documentation (printed or electronic) must state that it uses OVAL and explain relevant details to the users of the product. V.1: The vendor shall indicate where in the product documentation information regarding the use of OVAL can be found. This may be a physical document or a static electronic document (e.g., a PDF or help file). Required Test Procedures Internet Connectivity: Permitted T.1: The tester shall visually inspect the product documentation to verify that information regarding the product s use of OVAL is present and to verify that the OVAL documentation is in a location accessible to any user of the product. This test does not involve judging the quality of the documentation or its accuracy. R.2: The vendor must assert that the product implements the OVAL specification and provide a high-level summary of the implementation approach. V.2: The vendor shall provide a 150 to 500-word English language document to the accredited validation lab that asserts that the product implements support for one or more of the capabilities defined above, and provides a high-level summary of the implementation approach. This content will be used on NIST and MITRE web pages to explain details about each validated product and thus must contain only information that is to be publicly released. If applicable, this document shall include information about what product functionality uses OVAL versus what product functionality does not. Required Test Procedures Internet Connectivity: Permitted T.2.1: The tester shall inspect the provided documentation to verify that the documentation asserts that the product implements the OVAL specification and provides a high-level summary of the implementation approach. This test does not judge the quality or accuracy of the documentation, nor does it test how thoroughly the product implements OVAL. T.2.2: The tester shall verify that the provided documentation is an English language document consisting of 150 to 500 words. R.3: The product shall report and optionally reject OVAL content that is invalid according to the OVAL Language including constructs and restrictions specified in both XML Schema and Schematron schema.

13 V.3: The vendor shall provide instructions on how validation of OVAL content is performed and where errors from validation are displayed within the product output. Required Test Procedure Internet Connectivity: Not permitted T.3.1 (Definition Evaluator): The tester shall attempt to import known invalid OVAL Definition content into the vendor s product and examine the product output to validate that the product reports and optionally rejects the content as invalid according to the OVAL Definition schema and Schematron schema. T.3.2 (Definition Repository): The tester shall attempt to import known invalid OVAL Definition content into the vendor s product and examine the product output to validate that the product reports and optionally rejects the content as invalid according to the OVAL Definition schema and Schematron schema. T.3.3 (System Characteristics Producer): If the product produces OVAL System Characteristics based on input OVAL Definition documents, the tester shall attempt to import known invalid OVAL Definition content into the vendor product and examine the product output to validate that the product reports and optionally rejects the content as invalid according to the OVAL Definition schema and Schematron schema. If the product does not use OVAL Definition documents to produce OVAL System Characteristics no verification is needed by the tester. T.3.4 (Results Consumer): The tester shall attempt to import known invalid OVAL Full Results content into the vendor product and examine the product output to validate that the product reports and optionally rejects the content as invalid according to the OVAL Results schema and Schematron schema. R.4: The product output shall enable users to view the XML OVAL Definitions being consumed by the tool (e.g., within the product user interface or through an XML dump of the OVAL Definitions to a file). V.4: The vendor shall provide instructions on how the user can view the XML OVAL Definitions being consumed by the product. Required Test Procedure Internet Connectivity: Not permitted T.4: The tester shall follow the provided vendor instructions to view the XML OVAL Definitions being consumed by the product and verify that access is provided as stated. R.5: The product shall be able to correctly evaluate a valid OVAL Definition document against target systems of the target platform type and produce an result document using the full OVAL Results XML format with a definition result for each definition in the input OVAL Definition document.

14 V.5: The vendor shall provide instructions on how a valid OVAL Definition file can be imported into the product for evaluation. The vendor shall also provide instructions on where the resultant full OVAL Results XML output can be viewed by the tester. For T.5.5, the vendor shall indicate how two or more values can be specified for a variable used by one OVAL Definition. Required Test Procedure Internet Connectivity: Not permitted T.5.1: The tester shall run the tool using valid OVAL Definitions documents against the target systems of the target platform type. The results shall be compared against results from the OVAL reference implementation and they must produce the same pass/fail result for each OVAL Definition and criteria contained within the definition. T.5.2: The tester shall validate the resulting full OVAL Results XML output using the OVAL Results XML Schema and Schematron schema. Both of these validations must not produce any errors. T.5.3: The tester shall validate that the resulting full OVAL Results XML is available for viewing by the user. T.5.4: The tester shall inspect the product output and compare it against the reference results to ensure the proper use of result types ( not evaluated, error, etc.). T.5.5: When an OVAL Definition has been evaluated more than once on a single target system, each time with different values for the variables, the tester shall validate that the full OVAL Results XML file includes unique variable instance values for each individual case. R.6: The product shall generate system characteristics items that contain the exact system configuration values gathered at the time the product assessed the target system. V.6: The vendor shall provide the lab with product documentation (printed or electronic) indicating where the full OVAL Result XML or OVAL System Characteristics XML output can be viewed within the product output. Required Test Procedure Internet Connectivity: Not permitted T.6.1: (Definition Evaluator): The tester shall visually inspect the product output and compare the full OVAL Result XML to the expected results given the known configuration of the target platform. T.6.2: (System Characteristics Producer): The tester shall visually inspect the product output and compare the OVAL System Characteristics XML output to the expected output given the known configuration of the target platform.

15 R.7: The vendor shall document the process by which a user can import OVAL Results documents for interpretation by the product. V.7: The vendor shall provide product documentation (printed or electronic) to the lab indicating how users can import OVAL Results files for interpretation by the product. Required Test Procedure Internet Connectivity: Not permitted T.7: Using the vendor-provided documentation, the tester shall import one or more OVAL Results files for interpretation by the product. The tester shall confirm that this process works as documented by the vendor. R.8: All definitions, tests, objects, states, and variables within the product shall contain a unique OVAL ID with respect to all other definitions, tests, objects, states, and variables in the OVAL Community. V.8: The vendor shall provide product documentation (printed or electronic) to the lab indicating where in the product output the unique ID for all definitions, tests, objects, states, and variables can be viewed. Required Test Procedure Internet Connectivity: Not permitted T.8.1: The tester shall select a random sample of definitions, tests, objects, states, and variables (10%, up to 30, of each) from the product output and ensure that no duplicate IDs exists. T.8.2: The tester shall validate that the OVAL ID is valid according to the OVAL ID naming specification as expressed in the OVAL schema. R.9: Each definition shall keep the same OVAL ID across its existence. V.9: The vendor shall provide product documentation (printed or electronic) to the lab indicating where in the product output the definition OVAL ID can be viewed. This shall include reference to all components of the product in which the ID is displayed. Required Test Procedure Internet Connectivity: Not permitted T.9: The tester shall select a random sample of IDs from all components of the product output (10%, up to 30) and verify that the ID remains consistent across all instances. For example, if the product produces output as both an XML file and within a user interface, both must be examined to ensure that the OVAL Definition ID is the same for the definition under review.

16 R.10: The definition metadata shall be consistent with the definition content (e.g., the family should not be windows if the tests are examining Linux.) V.10: The vendor shall provide product documentation (printed or electronic) to the lab indicating where in the product output the definitions and associated metadata can be viewed. Required Test Procedure Internet Connectivity: Not permitted T.10: The tester shall select a random sample of IDs with metadata from the product output (10%, up to 30%) and verify that the metadata is consistent with the content of the definition.

Special Publication 800-145 (Draft) The NIST Definition of Cloud Computing (Draft) Recommendations of the National Institute of Standards and Technology Peter Mell Timothy Grance NIST Special Publication

Special Publication 800-145 The NIST Definition of Cloud Computing Recommendations of the National Institute of Standards and Technology Peter Mell Timothy Grance NIST Special Publication 800-145 The NIST

Introduction to OVAL: A new language to determine the presence of software vulnerabilities Matthew Wojcik / Tiffany Bergeron / Robert Roberge November 2003 The MITRE Corporation Table of Contents Introduction

NISTIR 7676 Maintaining and Using Key History on Personal Identity Verification (PIV) Cards David A. Cooper NISTIR 7676 Maintaining and Using Key History on Personal Identity Verification (PIV) Cards David

Qualys PC/SCAP Auditor Getting Started Guide August 3, 2015 COPYRIGHT 2011-2015 BY QUALYS, INC. ALL RIGHTS RESERVED. QUALYS AND THE QUALYS LOGO ARE REGISTERED TRADEMARKS OF QUALYS, INC. ALL OTHER TRADEMARKS

Vendor Provided Validation Details - McAfee Policy Auditor 6.2 The following text was provided by the vendor during testing to describe how the product implements the specific capabilities. Statement of

NIST Special Publication 800-51 Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme Recommendations of the National Institute of Standards and Technology Peter Mell Tim Grance

Enterprise Desktop Virtualization Introduction For nearly a decade, IT industry thought leaders and vendor proponents have hailed the anticipated widespread adoption of virtual display desktop as the new

CA Service Desk Manager Release 12.5 Certification Matrix Last Updated: February 11, 2014 End-of-Service: May 31, 2013 CA Service Desk Manager will support service-packs and point-releases of Operating

electronic medication administration record This document describes the test procedure for evaluating conformance of EHR technology to the certification criteria defined in 45 CFR Part 170 Subpart C of

Migrating to Red Hat Enterprise Linux 4: Upgrading to the latest Red Hat release By Donald Fischer Abstract Red Hat Enterprise Linux subscribers may choose to deploy any of the supported versions of the

Framework 8.1 External Authentication Reference Manual The information contained herein is proprietary and confidential and cannot be disclosed or duplicated without the prior written consent of Genesys

Support Guide: Managing the Subject machine s Firewall. Note: This guide assumes you have successfully deployed F-Response to the subject/target machine. If not, then we recommend you look at one of the

FDCC & SCAP Content Challenges Kent Landfield Director, Risk and Compliance Security Research McAfee Labs Where we have been 1 st Security Automation Workshop nearly 20 people in a small room for the day

Archived NIST Technical Series Publication The attached publication has been archived (withdrawn), and is provided solely for historical purposes. It may have been superseded by another publication (indicated

Report No. DODIG-2012-050 February 3, 2012 Improvements Needed With Host-Based Intrusion Detection Systems Warning This report is a product of the Inspector General of the Department of Defense. Its contents

Dell KACE K1000 System Management Appliance Version 5.4 Patching and Security Guide October 2012 2004-2012 Dell Inc. All rights reserved. Reproduction of these materials in any manner whatsoever without

Enterprise Test Management Standards Version 4.0 09/28/2012 Document Number: FSA_TOADG_STDS_TEST.TMS_001 Document Version Control This section summarizes this document revision history. Each entry includes

Service Asset and Configuration 1. Does the tool facilitate the registration and management of an organization s logical, physical and virtual Configuration Items (CIs)? For example, services, systems,

BY ORDER OF THE COMMANDER USTRANSCOM INSTRUCTION 33-3 UNITED STATES TRANSPORTATION COMMAND 5 DECEMBER 2011 Communications and Information MANAGEMENT OF PORTALS AND WEB SITES COMPLIANCE WITH THIS PUBLICATION

Remote Deposit Terms of Use and Procedures Use of American National Bank Fox Cities (Bank) Remote Deposit service is subject to the following Terms of Use and Procedures. Bank reserves the right to update

An Open Source Clinical Quality Measure Testing and Certification Tool Goals Proposed to be the rigorous and repeatable testing tool of Electronic Health Records (EHRs) and EHR modules in calculating Meaningful

White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption

Information Technology Services The purpose of an Information Technology Standard is to specify requirements for compliance with Old Dominion University Information Technology policies, other University

CHAPTER 2 Operating Systems Objectives Upon completion of this chapter, you will able to answer the following questions: What is the purpose of an OS? What role do the shell and kernel play? What is the

Common Platform Enumeration (CPE) Technical Use Case Analysis The MITRE Corporation November, 2008 Executive Summary A common theme taken from discussions at the Common Platform Enumeration (CPE) Developer

The National Security Agency s Review of Emerging Technologies Taking the Open Source Road Raising the Bar in Operating System Security Cryptographic Binding of Metadata Providing a Secure Foundation with

Standards and Guidelines for Information Technology Infrastructure, Architecture, and Ongoing Operations This document describes applicable standards and guidelines for the university's policy on Information

PGP Command Line Version 10.0 Release Notes Thank you for using this PGP Corporation product. These Release Notes contain important information regarding this release of PGP Command Line. PGP Corporation

GlobalPlatform Self Testing and Product Qualification Processes Version 1.2.1 Public Release May 2013 Document Reference: GPC_PRO_042 Recipients of this document are invited to submit, with their comments,

Foundations for Systems Development ASSIGNMENT 1 Read this assignment introduction. Then, read Chapter 1, The Systems Development Environment, on pages 2 25 in your textbook. What Is Systems Analysis and

ADDENDUM 4 TO APPENDIX 3 TO SCHEDULE 3.3 TO THE Statement of Technical Approach for Security Services The Security Services technical approach is focused on the personnel, systems and security necessary

NETWRIX IDENTITY MANAGEMENT SUITE FEATURES AND REQUIREMENTS Product Version: 3.3 February 2013. Legal Notice The information in this publication is furnished for information use only, and does not constitute